Your iPhone calendar isn’t private—at least if you use the LinkedIn app

Researchers have found that the LinkedIn iPhone app transmits all manner of data from your iPhone's calendar to LinkedIn's servers, and without notifying the user, either.

Today's not a good day to be a LinkedIn user—doubly so if you use LinkedIn's iPhone or Android app. Researchers have discovered that the app scrapes users' calendar items and sends the data back up to its servers, even when those calendar items were created outside of the LinkedIn app. The scraped data includes participant lists, subjects of entries, times of meetings, and any attached meeting notes (such as dial-in details and passcodes).

The LinkedIn app manages to gain access to your calendar items because it has a feature that allows you to view your calendar from within the app itself. According to security researchers Yair Amit and Adi Sharabani, the app then transmits this information to LinkedIn's servers without any clear indication to the user that this is happening—a throwback to the Path controversy that revealed the social networking app (among many others) had been transmitting users' contact lists to a remote server without explicit user consent.

Amit and Sharabani plan to present their report at a cyber security conference in Tel Aviv on Wednesday. In their report seen by Ars, they note that the information being collected by the LinkedIn app has no apparent relevance to the app's functionality, though they don't believe LinkedIn has included this functionality maliciously. "However, we are concerned by the fact it collects and sends-out sensitive information about its users, without a clear indication and consent," the researchers wrote.

LinkedIn defends itself by arguing that the calendar-viewing feature is opt-in, according to a statement given to the New York Times. "We use information from the meeting data to match LinkedIn profile information about who you’re meeting with so you have more information about that person," a spokesperson told the newspaper. Still, the company did not go into detail as to why it sends calendar data to its servers or why it doesn't make this feature obvious to users, potentially adding itself to the list of app makers being grilled on user privacy by members of Congress.

LinkedIn has now also made a blog post explaining its position on the app.

"In order to provide our calendar service to those who choose to use it, we need to send information about your calendar events to our servers so we can match people with LinkedIn profiles. That information is sent securely over SSL and we never share or store your calendar information," the company wrote. "In an effort to make that algorithm for matching people with profiles increasingly smarter we pull the complete calendar event, including email addresses of people you are meeting with, meeting subject, location and meeting notes."

LinkedIn points out that it does ask for permission when accessing the calendar (though it doesn't explicitly tell users it's going to upload the data), and says the feature can be turned off at any time. LinkedIn also insists that it doesn't actually keep any of the data transmitted to its servers, and it doesn't share the data "for purposes other than matching it with relevant LinkedIn profiles."

As for what the app will do moving forward: "We will no longer send data from the meeting notes section of your calendar event. There will be a new 'learn more' link to provide more information about how your calendar data is being used." LinkedIn says these updates are already live on the Android app and will be coming to the iOS app shortly.

This crap has got to stop. I don't install anything on my phone that requires access to features not needed for the app...most folks do not pay attention and install regardless trusting the company to not abuse their users this way. Its worse when the apps are able to get data from places they are not supposed to be fiddling around with for any good reason to function properly.

I wish there was an option on the phones for privacy from apps, that prevents apps from being installed, or installed apps from accessing data that you specifically say is for private use only. This should work if you apply settings to prevent programs from accessing certain data on the phone regardless of permissions the app requests.

i can only imagine the amount of confidential info that is going into linkedin servers, and i hope they get sued to hell over this...linkedin is supposed to be a professional network...not a honeypot for professional user data.

I have just disabled it and whilst there had a gloss over their privacy policy. Mentions nothing about gathering private, potentially sensitive business calendar data. Its not just my data exposed, its people I deal with too. 'Opt in or not, you can't install an app and unknowingly expose my colleagues phone numbers and teleconference detail.

I have just disabled it and whilst there had a gloss over their privacy policy. Mentions nothing about gathering private, potentially sensitive business calendar data. Its not just my data exposed, its people I deal with too. 'Opt in or not, you can't install an app and unknowingly expose my colleagues phone numbers and teleconference detail.

Besides, enough I know broadcast their activities and whereabouts freely on Twitter using Path links and other features...

Not shocked at all, and why I keep my social networking items separated. Personally, I think this is an issue of due dilligence. It's really ironic that a good portion of the public may be up in arms over "privacy", but then freely broadcasts sensitive information.

Do most people ever bother to consider what they are giving up in the bargain?

Daft question but I assume the Android version doesn't have this "feature"?

It's on the Android version, too. I just logged in (I hadn't logged in to LinkedIn in a while) and there at the top of the screen next to "LinkedIn Today" is a Calendar entry for today.

When you install the android app it says it has access to all your calendar and contact info...

Read calendar eventsRead contact dataWrite contact data

Those three permissions don't substantiate "forwarding your calendar events and contact data to a company that may or may not sell the information to marketing agencies for profit" however.

If you give someone some information (read calendar events) you can't prevent them from doing what they want with their knew information after the fact (upload to server). It works the same way with apps as it does with people. If you don't trust them with it, don't give it to them.

This is why you shouldn't use apps unless they give you something worthwhile and you trust the developer (in this case you should trust linkedin of course). I've gone through and uninstalled a few other apps that I never use. There seems very little that I can do to stop them from "harvesting" my data.

Here is the mobile project lead on why they didn't want to do responsive design for the ipad, but an app instead. Guess they really just wanted to steal data.

Deleted the app on my iPhone and iPad instantly. NO way am I ever letting them on my devices again. It's not that they did it, but that they did not clearly say what they were doing. They are not to be trusted.

I am glad that I never saw the point in installing an app for linked in, their mobile web page works fine for me.

Really I do not see the point in installing most of the apps out there. Like all the news websites, please stop trying to push some lame app on me, all I want to do is read an article. A web browser is more than capable of displaying an article. And web pages do not get access to my contacts and calendars, which is a big feature in my mind.

I do wonder if this will have any effect on linkedin's usage. I know many companies where linkedin profiles have replaced resumes as the primary source of information about a candidate. Pretty hard to avoid it if you are looking for a job in certain industries.

I am glad that I never saw the point in installing an app for linked in, their mobile web page works fine for me.

Really I do not see the point in installing most of the apps out there. Like all the news websites, please stop trying to push some lame app on me, all I want to do is read an article. A web browser is more than capable of displaying an article. And web pages do not get access to my contacts and calendars, which is a big feature in my mind.

I do wonder if this will have any effect on linkedin's usage. I know many companies where linkedin profiles have replaced resumes as the primary source of information about a candidate. Pretty hard to avoid it if you are looking for a job in certain industries.

How right you are. And there are analogues to LinkedIn in the creative field.

More or less, we are (at least those of us engaging in social media) becoming like minor celebrities. This has benefits and weaknesses. Coming from the DC area, where "my only comment is that I have no comment" is the standard MO, I'm a bit reticent.

Daft question but I assume the Android version doesn't have this "feature"?

It's on the Android version, too. I just logged in (I hadn't logged in to LinkedIn in a while) and there at the top of the screen next to "LinkedIn Today" is a Calendar entry for today.

When you install the android app it says it has access to all your calendar and contact info...

Read calendar eventsRead contact dataWrite contact data

And this is why Google needs to intro advanced permissions controls pr app. So that the user can override this in the case where they worry about its implications. But then i guess that will never happen as the first thing people will do is kill the net connection on games so that it can't download ads and such...

At a glance, they could implement the functionality they're after by sending only hashes of the meeting info. That would allow them to discover relevant matches in LinkedIn space without transmitting the kitchen sink.

We developers need to start giving a damn about these sorts of privacy issues — because I'm quite sure that most of the companies paying our bills aren't going to.

Daft question but I assume the Android version doesn't have this "feature"?

It's on the Android version, too. I just logged in (I hadn't logged in to LinkedIn in a while) and there at the top of the screen next to "LinkedIn Today" is a Calendar entry for today.

When you install the android app it says it has access to all your calendar and contact info...

Read calendar eventsRead contact dataWrite contact data

And this is why Google needs to intro advanced permissions controls pr app. So that the user can override this in the case where they worry about its implications. But then i guess that will never happen as the first thing people will do is kill the net connection on games so that it can't download ads and such...

ehh.. well it also often breaks apps that expect that stuff.. so no you prob. wont see it without hacking... same thing with iOS... you can not let users just turn off features without expecting certain things to break...

App developers need to be straight about what they are doing.

If a PC or Mac programs just started uploading your xls files to some server without your knowledge I think you would be pissed, and not use that application and possibly even sue...

I really want to be mad about this, but if you opt-in to see profile information about people in your meetings, then how else can they do it? You can argue that they should do the processing on the device and only send names back to the server, but data about your meeting NEEDS to go to their servers if you want information from them.

Another good reason to not use apps for stuff that can be handled with web browser.

And there it is. I've been complaining about the appification of web sites from day one. Just write your web site correctly to handle a range of devices and screen sizes, don't support multiple products.

Granted, LinkedIn's mobile site doesn't work for crap -- in fact *doesn't work at all* on both of my Android devices.

I really want to be mad about this, but if you opt-in to see profile information about people in your meetings, then how else can they do it? You can argue that they should do the processing on the device and only send names back to the server, but data about your meeting NEEDS to go to their servers if you want information from them.

Their explanation sounds legitimate to me.

Agreed, when I first saw the calendar feature and how it would provide info about people your meeting, I thought, oh, there sending my calendar data to their servers, no thanks. Opting in for an app to access your calendar, phone book etc. means they are going to use it. And being a service+client based architecture means they are going to send the data to the service. I know we are getting used to clicking before thinking these days (see any user agreement when installing software) but really this was pretty obvious to me. Not really seeing scary big brother here.

I really want to be mad about this, but if you opt-in to see profile information about people in your meetings, then how else can they do it? You can argue that they should do the processing on the device and only send names back to the server, but data about your meeting NEEDS to go to their servers if you want information from them.

Their explanation sounds legitimate to me.

I think the problem people are having with it is that the app isn't just sending the names and/or email addresses of whoever's in the meeting, (which, I agree - if you're going to get LinkedIn information on people at your meeting, how else is LinkedIn supposed to give you that data) it's also sending everything in the notes of the meeting entry, which could contain confidential information and which really serves no good reason to be sent to LinkedIn's servers.

Daft question but I assume the Android version doesn't have this "feature"?

It's on the Android version, too. I just logged in (I hadn't logged in to LinkedIn in a while) and there at the top of the screen next to "LinkedIn Today" is a Calendar entry for today.

When you install the android app it says it has access to all your calendar and contact info...

Read calendar eventsRead contact dataWrite contact data

And this is why Google needs to intro advanced permissions controls pr app. So that the user can override this in the case where they worry about its implications. But then i guess that will never happen as the first thing people will do is kill the net connection on games so that it can't download ads and such...

ehh.. well it also often breaks apps that expect that stuff.. so no you prob. wont see it without hacking... same thing with iOS... you can not let users just turn off features without expecting certain things to break...

App developers need to be straight about what they are doing.

If a PC or Mac programs just started uploading your xls files to some server without your knowledge I think you would be pissed, and not use that application and possibly even sue...

At least as a knowledgeable user i can install a firewall that will throw a warning if some program i did not clear wants to make a connection, best i can tell nothing like that can be made for Android (or iOS for that matter) without rooting. One could also potentially store the files one worry about under a different user, and use OS functionality to run programs as that user when needed. I sometimes wonder if i should run all web browsers in that manner.

Daft question but I assume the Android version doesn't have this "feature"?

It's on the Android version, too. I just logged in (I hadn't logged in to LinkedIn in a while) and there at the top of the screen next to "LinkedIn Today" is a Calendar entry for today.

When you install the android app it says it has access to all your calendar and contact info...

Read calendar eventsRead contact dataWrite contact data

And this is why Google needs to intro advanced permissions controls pr app. So that the user can override this in the case where they worry about its implications. But then i guess that will never happen as the first thing people will do is kill the net connection on games so that it can't download ads and such...

ehh.. well it also often breaks apps that expect that stuff.. so no you prob. wont see it without hacking... same thing with iOS... you can not let users just turn off features without expecting certain things to break...

App developers need to be straight about what they are doing.

If a PC or Mac programs just started uploading your xls files to some server without your knowledge I think you would be pissed, and not use that application and possibly even sue...

At least as a knowledgeable user i can install a firewall that will throw a warning if some program i did not clear wants to make a connection, best i can tell nothing like that can be made for Android (or iOS for that matter) without rooting. One could also potentially store the files one worry about under a different user, and use OS functionality to run programs as that user when needed. I sometimes wonder if i should run all web browsers in that manner.

a firewall like that wouldn't make a difference if/when they POSTed that data via HTTP/HTTPS, really.